Institutional information technology (IT) centers are responsible for keeping track of, assuring proper configuration of, and providing the latest software to client devices. Client devices include desktop personal computers (PC), mobile laptop PCs, personal digital assistants (PDA), and in certain cases, cellular telephones. IT centers typically manage and update hundreds, if not thousands, of client devices.
The management of client devices often involves the concept of “policy.” Policy defines the operation of client devices as provided by an institutional IT center. A “policy object” is the actual executable code or instructions provided to a client device. Policy allows for uniformity of operation amongst client devices, including common background color, screen saver, graphical user interfaces, boot/reboot frequency, login/logoff procedure, operating system software, and application software.
Policy may include security software to detect for malevolent software such as viruses. IT centers are in the best position to determine existing software threats and provide appropriate policy to client devices to deal with such software threats. If updates are infrequent there is considerable chance that damage can result without the necessary up to date security software provided by policy.
Institutional asset management includes keeping track of assets such as client devices, and the software installed on client devices. Policy may include executable code on the client device that requires the client device to send information back to the IT center regarding the client device's serial or asset number. This executable code may be modified to change the update frequency back to the IT center. Part of this executable code or part of another piece of executable code, are instructions for the client device to query the IT center for new policy. The frequency of the query typically is included in the instructions for the client device.
Policy administration typically is based on a “pull” system, where client devices go to policy servers to request policy or policy information. In a pull system, it is desirable for client devices to frequently request for policy to assure that the client devices are in sync with the latest corporate policies (for example: have the latest virus signatures). The pull system is differentiated from a “push” system where a policy server or servers provide policy without request from client devices.
Policy information may include “policy assignments” that provide abbreviated information as well as links to policy objects. A policy assignment may include information as to applicability of a policy object to a client device (i.e., some policy objects apply or do not apply to certain client devices); and where a client device may access the policy object (e.g., a uniform resource locator (URL) directing the client device to a particular website). Policy or policy assignments are sent to the requesting client devices from a policy server or servers.
In a policy administration system a client device may access a policy server through a functional “management point.” In certain applications a management point is part of a policy server. In other applications a management point is separate from a policy server. The management point may administer and track policy assignments sent to client devices. In order to simplify administration from the management point and to assure that client devices are current as to policy, a “full” list of policy assignments is sent whenever a policy object is added, modified, or deleted.
Client devices and policy servers are connected through various networks that include intranets and the Internet. Communication across the networks, in addition to client devices communicating with policy servers, includes client devices communicating with e-mail servers, client devices communicating with other client devices, client devices downloading data from software servers, and various other communications and downloads between computing devices connected across the networks.
The distribution of policy typically requires client devices throughout the enterprise to periodically verify that client device resistant software is correctly installed, is up to date, and working properly. This verification cycle can have negative effects in environments where network bandwidth and/or processing resources are limited. In certain situations, policy or software may be downloaded to a client device even though the client device may have the particular version of the policy or software.
Typically, the collection of client devices, computers, and networks of an institute is referred to as an “enterprise.” “Bandwidth” is the capacity to communicate across the networks. “Enterprise bandwidth” is the capacity to communicate across the enterprise. The more frequent client devices pull and download policy, software, and lists of policy assignments, the more enterprise bandwidth is consumed and thus remaining bandwidth becomes constrained. The more constrained enterprise bandwidth becomes, the ability to check e-mail, visit the Internet, and perform other network (i.e., enterprise bandwidth) dependent tasks is negatively impacted. Enterprise bandwidth becomes particularly constrained when policy servers are downloading policy and lists of policy assignments to thousands of client devices throughout a limited bandwidth network.
Enterprise bandwidth may be conserved by a lower frequency of downloads to client devices; however, if policy is not frequently up to date at the client devices, problems can arise. Problems include client devices with different versions of software, operating systems, and interfaces. In addition, infrequent updates as to anti-virus software and other security software may lead to irreparable damage to client devices and the enterprise. In a pull system, frequent verification is necessary to assure that the proper security policy and software are made available to client devices. However, it is desirable to conserve enterprise bandwidth and avoid unnecessary download of policy and software. Instead of sending full lists of policy assignments, enterprise bandwidth can be conserved by sending only the policy assignments that have been changed since a list of policy assignments was last sent to a client device. The changed policy assignments are known as a “delta” or difference from the previous lists of policy assignments.